I would recommend googling around for a Javascript md5/sha1 hash implementation, depending on what your server is using. There are implementations for both that are under a free license.

Use these to hash your password before you send it to the server. However, be aware that these hashes can be cracked with enough time and effort.

In order to prevent that, when your toolbar is installed and the user registers, generate a "salt" that is completely random, preferably at least 20 characters in length. Hash this in with the password to prevent dictionary and most brute-force attacks. Then, make sure both the server and the toolbar keep track of this salt, and use it whenever you need to hash a password.

This will make it much more challenging for someone to steal a user's password. What it will NOT do is make your toolbar more secure. Anyone advanced enough to run network tracing will be able to snoop on the request, note the information (whether it's GET or POST doesn't matter), then simulate the request himself and access the targeted user's data.

To get around this, you'll need a public/private key encryption system (which I haven't researched for Javascript/PHP--there might be something, but I don't know what it is), along with some unique, random value that is sent from every toolbar installation (and is randomized for each request). Verify that the toolbar goes with the user, and that the random value from inside the encryption is correct (I.E. it matches a random value passed outside the encryption), and you can provide at least some form of security.

Unless you're using https, however, just be aware that almost anything you do with this type of architecture can be defeated relatively easily if someone's determined enough.

Wesley,

Thanks. That is great info.

So first of all I understand that GET and POST are the same, security wise, which makes sense.

I like the idea of using Public-Key/Private-Key encryption. I'll look into this.

I'll also look into HTTPS, a I'm still not 100% sure I understand how it applies.

Thanks!

Ron

With HTTPS, all data transmitted is encrypted (perhaps with the exception of the request string itself--I'm not sure about this as I've never used it in my own projects). Thus, if someone's listening in on the network, all they'll get is a pile of junk--they can't read any content that's being transmitted.

I've started to read about it online... It seems like it's not so easy to use HTTPS: I read that to run SSL it will cost money for certificates... and my project is on a low budget currently.

Maybe I'll stick to encryption on Javascript and decryption on my PHP server (private-key/public-key). Perhaps indeed using a different 'salt' for each toolbar (which is possible I guess).

Yeah, SSL is not cheap. It also sucks up server resources like you wouldn't believe. It's definitely the most secure option, but the public/private key encryption should serve you well in the absence of a HTTPS server.

So first of all I understand that GET and POST are the same, security wise, which makes sense

Actually, in the context you're using it, they are not.

GET will put the submitted variables in the query string and will appear in the address bar like so:

script.php?var1=value%201&var2=%202

Post sends the data in a stream read on STDIN, and does not:

script.php

Security-wise this is one less place to "peek" at your data.

The other major difference is the bytes of data you send with GET are limited, POST will allow as much data as you can stand to post.

rocknbil,

Thanks for the info. So POST is a 'little' bit better security-wise, but certainly not enough deliver sensitive data, right?

I'm now trying to get RSA to work (encode in JS, decode in PHP) which is 'almost' working ;-)

Ron